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(54) System and method of biometric smart card user authentication 



(57) A system and method for authenticating a 
smart card user (54) at a reader device (64) makes use 
of an application (58) on a smart card microprocessor 
(60) on which information fields (56) relating to biometric 
information for the user and a table of predefined prob- 
ability of occurrence values for user authentication is 
stored. The smart card (62) and a biometric sample for 
the user is presented to the reader device (64), and an 
application associated with the reader device automat- 
ically authenticates the user base on a match level be- 



tween the stored biometric information and the present- 
ed biometric sample according to a desired probability 
of occurrence value from the stored table. Alternatively, 
the user (54) is automatically authenticated by an appli- 
cation (58) on the smart card microprocessor (60). The 
reader device reads the presented biometric sample, 
automatically presents what is read to the smart card 
application, and the smart card application then authen- 
ticates the user according to the threshold match score 
from the stored table that corresponds to the desired 
probability of occurrence value. 
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Description 

Cross Reference to Related Applications 

[0001] This application claims the benefit of U.S. Pro- 
visional Patent Application Serial No. 60/084,922 filed 
May 11,1 999. 

Field of the Invention 

[0002] The present invention relates to smart card se- 
curity and more particularly to a system and method of 
biometric authentication of a smart card user. 

Background 

[0003] Authentication is the process by which an en- 
tity, such as a financial institution or bank or other type 
of institution, identifies and verifies its customers or us- 
ers to itself and itself to its customers or users. Authen- 
tication includes the use of physical objects, such as 
cards and/or keys, shared secrets, such as personal 
identification numbers (PIN's) and/or passwords, and 
biometric technologies, such as voice prints, photos, 
signatures and/or fingerprints. Biometric tasks include, 
for example, an identification task and a verification 
task. The verification task determines whether or not the 
individual claiming an identity is the individual whose 
identity is being claimed. The identification task deter- 
mines whether the biometric signal, such as a finger- 
print, matches that of someone already enrolled in the 
system. 

[0004] Typically, biometric systems have a common 
methodology, regardless of their modality, such as fin- 
gerprint, face, voice, or the like. A person enrolls by do- 
nating some number of samples of the biometric. From 
these samples, the biometric system creates a model of 
the particular individual's patterns, which is referred to 
as a template. When the person attempts to access the 
system, the application collects new data. In a verifica- 
tion application, the individual claims an identity, and the 
application retrieves the individual's model from a data- 
base and compares the new signal to the retrieved mod- 
el. The result of this comparison is a match score, which 
indicates how well the new signal matches the template. 
The application then compares the match score ob- 
tained with a pre-defined threshold and decides whether 
to allow or deny access to the individual or, for example, 
to ask the individual for more data. 
[0005] Various authentication parameters are used by 
security systems to verify a valid cardholder and to grant 
the cardholder access to a secured resource. Informa- 
tion parameters, such as PIN's, can be readily read and 
processed by a card reader according to a system ver- 
ification algorithm. However, information can be com- 
promised, so that many authentication systems also re- 
quire person-unique biometric parameters, such as fin- 
gerprints, or retinal images. In such authentication sys- 



tems, cardholder bio-specimens are stored in digital for- 
mat in the system computer. During authentication the 
system obtains the information parameters, for exam- 
ple, from the card, and the biometric parameters from 
5 the person and matches both to the system-stored val- 
ues. For a fingerprint, for example, there are fourteen 
points and interpoint distances that the biometric reader 
compares and, depending on the match score, grants 
or denies access. 
10 [0006] The required match score is a function of a pre- 
selected security level and is set by the application de- 
signer. However, the image acquisition tolerances, as 
well as changes in the person's biometric parameter, 
such as a finger cut on the referenced fingerprint, cause 
is false acceptances, such as accepting an impostor 
(False Accept or FA), and false rejections, such as re- 
jecting a valid user (False Reject or FR). Manufacturers 
of biometric readers or application developers provide 
performance histograms, which are distributions of the 
empirical number of valid acceptances and valid rejec- 
tions provided by the reader. To the extent the distribu- 
tions overlap, there are regions of false rejections of val- 
id users or FR and false acceptance of impostors or FA. 
In setting the system parameters, application designers 
attempt to set a threshold authentication match score 
which balances these tolerances against efficiency for 
a given application. 

[0007] The selected threshold match score is based 
on the desired probability of occurrence or non-occur- 
rence of a FA and/or FR, and the performance histo- 
grams quantify the probability of occurrence of FA and 
FR. These probabilities are inverse, in that by increasing 
the threshold score to reduce the Probability of FA or P 
(FA), the Probability of FR or P(FR) is increased. Con- 
versely, decreasing the threshold to reduce the Proba- 
bility of FR or P(FR) increases the Probability of FA or 
P(FA). 

[0008] In a given application the selected threshold is 
coded into the reader software, and system perform- 
ance is observed. If actual system efficiency is unac- 
ceptable due to a False Reject Rate (FRR) that is too 
high, the threshold score is reduced, and if unaccepta- 
ble due to a False Accept Rate (FAR) that is too high, 
the threshold is increased. Each time the threshold 
score changes, it must be recoded into the reader sys- 
tem software. Similarly, with each new reader model or 
new release, the threshold score must be changed in 
accordance with the new model histograms and possi- 
bly changed again following actual performance evalu- 
ation. Each re-coding of the threshold value generally 
requires a new system software release, together with 
the time and labor required to install the new software. 

Summary of the Invention 

[0009] It is a feature and advantage of the present in- 
vention to provide a system and method of biometric 
smart card user authentication which automatically ad- 
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justs the probability of occurrence or non-occurrence of 
false acceptance of an impostor and false rejection of a 
valid user without the necessity of reprogramming the 
reader system software. 

[0010] It is a further feature and advantage of the 
present invention of provide a system and method of bi- 
ometric smart card user authentication in which the per- 
formance of the biometric technology is independent of 
where the system positions the threshold for false ac- 
ceptance and false rejection. 

[0011] It is another feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which makes the 
card application more secure, thereby reducing the risk 
of fraudulent or unauthorized use and allowing for high- 
er-value applications 

[001 2] It is an additional feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which simplifies 
application design requirements by putting the user's bi- 
ometric template on the card, thereby eliminating or 
greatly reducing network traffic. 

[0013] It is still another feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which enhances 
security and privacy by eliminating the necessity of 
transmitting the user's biometric template around to dif- 
ferent locations where it is needed. 
[001 4] It is a still further feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which allows ap- 
plication designers to set operating thresholds as tightly 
or as loosely as is appropriate for the particular risk in- 
volved. 

[0015] It is also a feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication with a flexible ar- 
chitecture format for storing biometrics on the smart 
card that is independent of application or biometric 
methodology or vendor. 

[001 6] It is still an additional feature and advantage of 
the present invention to provide a system and method 
of biometric smart card user authentication which sup- 
ports different methods, vendors, and releases, and al- 
lows for flexibility of application deployment. 
[0017] It is another feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication in which the user 
is automatically authenticated by an application on the 
smart card. 

[001 8] It is an additional feature and advantage of the 
present invention to provide a method and system of bi- 
ometric smart card user authentication in which the cus- 
tomer's use of the smart card in a transaction ties the 
customer undeniably to the transaction and makes the 
transaction non-reputiatable. 

[0019] To achieve the stated and other features, ad- 
vantages and objects of the present invention, the sys- 



tem and method for authenticating a smart card user at 
a reader device of an embodiment of the present inven- 
tion includes storing information fields for the user on 
the smart card relating to biometric information for the 

s user, also referred to as a biometric template. The bio- 
metric template includes at least one model of biometric 
patterns for the user, such as the user's voice print, pho- 
tograph, signature, fingerprint, hand geometry, retinal 
image or iris scan. The information fields also include a 

10 table of pre-defined probability of occurrence values for 
user authentication, as well as personal data for the us- 
er, identification of a biometric system, and a hashed 
data field. The information fields are stored in an appli- 
cation on a microprocessor of the smart card. 

15 [0020] In an embodiment of the present invention, 
storing the information fields relating to the table of pre- 
defined probability of occurrence values involves auto- 
matically assigning a probability of occurrence value to 
each of a plurality of pre-defined range limit values, 

20 which are automatically identified for each of a plurality 
of value ranges of biometric reader device match 
scores. Identifying the range limit values involves auto- 
matically tabulating a performance histogram distribu- 
tion of biometric reader device match scores for false 

25 acceptance of an impostor and false rejection of a valid 
user into a plurality of value ranges. Tabulating the per- 
formance histogram distribution involves automatically 
quantifying the performance histogram into discrete lev- 
els of biometric reader device match scores and auto- 

30 matically assigning the probability of occurrence value 
for each of the discrete levels of the biometric reader 
device match scores. 

[0021] In an embodiment of the present invention, the 
smart card, together with a biometric sample for the us- 

35 er ; are presented to the reader device, which is associ- 
ated with a terminal, such as at least one of an area 
access terminal, a computer network terminal, a com- 
puter access terminal, a stored value terminal, a mone- 
tary access terminal, a PBX terminal, a long distance 

40 terminal, a personal computer a laptop computer, a per- 
sonal digital assistant, a public internet terminal, and an 
automated teller machine. The presented biometric 
sample is, for example, at least one of a voice print, pho- 
tograph, signature, fingerprint, hand geometry, retinal 

45 image, and an iris scan. 

[0022] In an embodiment of the present invention, the 
user is automatically authenticated by the reader device 
based at least in part on a match level between the 
stored biometric information and the presented biomet- 

50 ric sample according to a desired probability of occur- 
rence value from the stored table. The desired probabil- 
ity of occurrence value is pre-selected by pre-defining a 
desired probability of occurrence value for false accept- 
ance of an impostor and false rejection of a valid user 

55 and pre-defining an instruction set which directs the 
reader device to look to the stored table of probability of 
occurrence values for a false acceptance of an impostor 
and false rejection of a valid user threshold match score 
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corresponding to the desired probability of occurrence 
value. The user authentication is performed by an ap- 
plication associated with the reader device and residing 
on the reader device and/or the terminal. 
[0023] Alternatively, in an embodiment of the present 
invention, in order to provide enhanced security, the us- 
er is automatically authenticated by an application on 
the smart card. For example, the reader device reads 
the presented biometric sample and automatically 
presents what is read by the reader device to the smart 
card application. The smart card application then au- 
thenticates the user according to the threshold match 
score from the table on the smart card application that 
corresponds to the desired probability of occu rrence val- 
ue. 

[0024] Additional objects, advantages and novel fea- 
tures of the present invention will be set forth in part in 
the description which follows, and in part will become 
more apparent to those skilled in the art upon examina- 
tion of the following or may be learned by practice of the 
invention. 

Brief Description of the Drawings 
[0025] 

Fig. 1 is a table which illustrates examples of types 
of data used in measuring biometrics performance 
for an embodiment of the present invention; 
Fig. 2 shows a sample biometric reader device per- 
formance histogram for an embodiment of the 
present invention; 

Fig. 3 is a table which illustrates four possible out- 
comes of a single biometric reader device trial for 
an embodiment of the present invention; 
Fig. 4 is a diagram which illustrates an example of 
a receiver operating characteristic (ROC) curve for 
an embodiment of the present invention; 
Fig. 5 is a flow chart which shows somewhat sche- 
matically an overview of the key components and 
the flow of information between the key compo- 
nents for an embodiment of the present invention; 
Fig. 6 is a table which illustrates examples of the 
type of data stored on the smart card for an embod- 
iment of the present invention; 
Fig. 7 is a table which shows a sample probability 
look-up table for an embodiment of the present in- 
vention; and 

Fig. 8 is a flow chart which provides further detail 
regarding the process of authenticating a user 
through match scoring of a sample biometric ob- 
tained from the user by a biometric reader device 
for an embodiment of the present invention. 

Detailed Description 

[0026] Referring now in detail to an embodiment of the 
present invention, an example of which is illustrated in 



the accompanying drawings, a number of methods can 
be used to quantitatively measure biometrics perform- 
ance. Fig. 1 is a table which illustrates examples of types 
of data used in measuring biometrics performance for 

s an embodiment of the present invention. The types of 
data include, for example, performance histogram 2, 
False Accept Rate (FAR) and False Reject Rate (FRR) 
4, Equal Error Rate (EER) 6 ; Failure to Acquire (FTA) 8, 
and "d 1 " and Receiver Operating Characteristic (ROC) 

10 plots 10. 

[0027] A basic way to look at data for quantitatively 
measuring the performance of biometrics is to inspect 
the performance histogram 2. Each time a trial is per- 
formed, the system returns a match score which is plot- 
's ted in the histogram 2. Fig. 2 illustrates a sample bio- 
metric reader device performance histogram for an em- 
bodiment of the present invention. The histogram 2 has 
the match score 1 2 on the x-axis 1 4, from low scores 1 6 
toward the left side of the histogram to high scores 18 
20 toward the right side of the histogram. The number of 
cases attempted 20 is shown on the y-axis 22 of the his- 
togram 2. Valid users 24 have higher match scores 18 
and are shown on the right side of the histogram 2. Dis- 
tributions vary from device to device, but are commonly 
25 normally distributed as bell curves 26 and 28. Impostors 
30 have lower scores 1 6 and are shown on the left side 
of the histogram 2. Note also that there are usually fewer 
impostors 30 than valid users 24. 
[0028] Referring further to Fig. 2, the vertical line on 
30 the histogram, which separates the two distributions of 
scores 26, 28, is known as the threshold 32. If a user 
scores higher than the threshold 32, the user is accept- 
ed, but if the user scores lower than the threshold, the 
user is rejected. There are four possible outcomes of a 
35 single trial. Fig. 3 is a table with illustrates the four pos- 
sible outcomes of a single biometric reader device trial 
for an embodiment of the present invention. The four 
possible outcomes include, for example, Correct Accept 
34 of a customer, Correct Reject 36 of an impostor, 
40 False Accept or FA 38 of an impostor, and False Reject 
or FR 40 of a customer. The percentage of cases in the 
False Accept or FA 38 outcome is called the False Ac- 
cept Rate (FAR), and the percentage of cases in the 
False Reject or FR 40 outcome is called the False Reject 
45 Rate (FRR). 

[0029] Referring again to Fig. 2, if the threshold 32 is 
repositioned toward the left side of the histogram 2, few- 
er FR's 40 occur, but more FA's 38 occur. If the threshold 
32 is repositioned toward the right side of the histogram 
50 2, more FR's 40 occur, but fewer FA's 38 occur. This is 
the essential tradeoff made in the context of an applica- 
tion for an embodiment of the present invention. An im- 
portant aspect of an embodiment of the present inven- 
tion is that the system and method of the present inven- 
ts tion automatically moves the threshold, and the per- 
formance of the biometric technology is independent of 
where the application positions the threshold 32. 
[0030] The system and method for an embodiment of 
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the present invention moves the threshold 32 according 
to the objectives of greater security or rejecting fewer 
customers. Referring likewise to Fig. 2, if the objective 
is greater security, the threshold 32 is moved to a higher 
position. If the objective is to reject fewer customers, the 
threshold 32 is moved to a lower position. Therefore, 
comparing a system which has, for example, a stated 
performance level of 1 percent FAR and 1 0 percent FRR 
with another system that has, for example, a perform- 
ance level of 2 percent FAR and 8 percent FRR is anal- 
ogous to comparing apples with oranges. 
[0031] Different organizational constituencies typical- 
ly have different perspectives of the FRR and FAR. For 
example, a security professional may prefer to know 
what the FRR will be if the FAR is set to 0 percent, while 
a marketing professional may wish to know what the 
FAR will be if the FRR is set to 0 percent. The number 
that is disposed in the middle is the Equal Error Rate 
(ERR). To address the aspect of movable thresholds, 
another method of quoting performance is the EER. Re- 
ferring further to Fig. 2, to find the EER, the threshold 
32 is set so that the percentage of FAR equals the per- 
centage of FRR, and the overall error is calculated. For 
example, if the threshold 32 is set so that 5 percent of 
valid users 24 are rejected and 5 percent of impostors 
30 are accepted, the overall EER is 5 percent. This is 
the outcomes table of a 5 percent EER. 
[0032] Another measure of biometrics performance is 
called Failure to Acquire (FTA) 8, which is the failure of 
the system to find a signal to analyze. For example, in 
the fingerprint area, this is known as the 'presentation 
problem. 1 If a user does not place the user's finger on 
the scanner with the right orientation, or if the user 
moves the user's finger while the system is scanning, 
the resulting image cannot be processed. Likewise, in 
a speech system, if the user does not speak loudly 
enough, or if there is line noise or a bad connection, the 
system can fail to find the words. In a face verification 
system, the system may not be able to find a head in 
the proper frame it expects, and hence fails to acquire 
the photo. FTA 8 is often a result of human factor prob- 
lems, mainly due to the amount of training a user may 
have or the amount of work a user must do to make the 
biometric work. 

[0033] A numerical description of the degree of sep- 
aration of two distributions, such as the scores of the 
valid users 24 and the scores of the impostors 30, known 
as "d\" is available from statistical decision and signal 
detection theory, and is related to the Neyman-Pearson 
equations describing distributions. It is defined accord- 
ing to the equation: 

d 1 = (m2 - m1)/sqrt [ sd1 2 + sd2 2 )/2] 

in which "d"' is equal to the difference between the 
means of the distributions divided by the square root of 
the average of the squares of the standard deviations 



of the distributions. 

[0034] Fig. 4 is a diagram which illustrates an example 
of a receiver operating characteristic (ROC) curve 42 for 
an embodiment of the present invention. Referring to 
5 Fig. 4, the Probability of False Reject or P(FR) 44 is plot- 
ted on the y-axis 46, and the Probability of False Accept- 
ance or P(FA)) 48 is plotted on the x-axis 50. As previ- 
ously mentioned, there is a tradeoff by moving the 
threshold, for example, higher and rejecting more valid 
10 users 23 but also keeping out more impostors 30. This 
tradeoff is shown as the ROC curve 42. In the ROC 
curve 42, points near the origin (0, 0) 52 represent op- 
erating the biometric with some FA 38 and FR 40, 
whereas points at the ends of the line represent thresh- 
es olds which are set very high or very low. For example, 
the threshold can be set high, such that P(FA) 48 is low 
and P(FR) 44 is high, or the threshold can be set low, 
such that P(FA) 48 is high while P(FR) 44 is low. 
[0035] Fig. 5 is a flow chart which shows somewhat 
schematically the key components and the flow of infor- 
mation between the key components for an embodiment 
of the present invention. Referring to Fig. 5, the system 
and method for biometric authentication of a smart card 
user 54 for an embodiment of the present invention in- 
volves storing certain information fields 56 in an appli- 
cation 58 on a microprocessor 60 embedded in the 
smart card 62, along with a biometric sample 64 itself. 
The information fields 56 include system identification 
and personal data, as well as a hashed data field, which 
is decoded by the system during the authentication 
process to certify the integrity of the information param- 
eters. 

[0036] Referring further to Fig. 5, additionally, the ap- 
plication 58 on the smart card 62 includes a probability 
look-up table 66 which quantifies a reader device per- 
formance histogram distribution into discrete levels of 
match score 12 and assigns a corresponding probability 
factor to each level for both false acceptances of impos- 
tors 30 and false rejections of valid users 24. The system 
reader device 68 is programmed with a desired Proba- 
bility of False Acceptances or P(FA)'s 48 and False Re- 
jections or P(FR)'s 44. The system reader 68 is also pro- 
grammed with an instruction routine that tells the system 
signal processor to look to the probability look-up table 
66 on the card 62 to determine the false acceptances 
or false rejections threshold match score corresponding 
to the desired probability factor, to be used for authen- 
tication. 

[0037] An embodiment of the present invention pro- 
vides an architecture which allows flexibility in applica- 
tion design. Since application requirements vary in 
terms of risk, user populations, channel properties and 
cost, the system and method for an embodiment of the 
present invention supports a wide range of these prop- 
erties. Biometric technology provides a type of security 
that is qualitatively different from that provided by token- 
based methods and information based methods. Token 
based methods make use of something that a user has, 
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such as the card itself, and information-based methods 
utilize something that the user knows, such as a PIN or 
password. Biometric technology for an embodiment of 
the present invention can be used in addition to these 
other methods or by itself. 

[0038] In embodiment of the present invention, the 
use of biometric technology in conjunction with the 
smart card 62 makes the card application 58 more se- 
cure; thereby reducing the risk of fraudulent or unau- 
thorized use. This allows for the implementation of high- 
er-valued applications. Further, such use of biometric 
technology provides for non-repudiation of a transaction 
by the user 54 using the user's smart card 62, so the 
user cannot deny a transaction performed by the user 
with the smart card. In other words, use of biometric 
technology in conjunction with the smart card 62 unde- 
niably ties the user 54 to use of the smart card by the 
user. In addition, by putting the biometric template 64 
on the card 62, application design requirements are sim- 
plified, since network traffic is eliminated or greatly re- 
duced. This also enhances security and privacy, since 
it is unnecessary to transmit the template 64 around to 
different locations where it is needed. 
[0039] The system and method for an embodiment of 
the present invention has numerous applications, such 
as secure area access, computer networkand computer 
access, stored value or other monetary access, PBX 
and long distance access. Each of such applications has 
different requirements in terms of risk, environment, us- 
er, channel and cost. In terms of risk, a transaction 
which, for example, transfers a million dollars to a num- 
bered Swiss bank account has a higher risk than one 
which simply returns a user's bank account balance. 
Gaining access, for example, to a nuclear weapons fa- 
cility or to war plans or lists of secret agents carries a 
greater risk than gaining access to an officer's club or 
DISNEY WORLD. An objective of the application de- 
signer is to set application operating thresholds as tight- 
ly or as loosely as is appropriate for the particular risk 
involved. 

[0040] I n terms of environment, an office environment 
is different, for example, from an outdoor setting in a 
public space or a freezing border crossing station. While 
a face verification system works well, for example, in an 
office environment, it may not work in a public space 
where the lighting and background is uncontrolled. Like- 
wise, a hand geometry unit will not work well at the freez- 
ing border station, unless heated in some way, but a 
speaker verification system may work. In regard to the 
user, if a user uses a particular system frequently, the 
user soon becomes habituated to the system. Since hu- 
man factors are an important part of overall system per- 
formance, a habituated user typically obtains better sys- 
tem performance than an unhabituated user on any giv- 
en biometric. Some biometric methods are easier to 
learn and faster to use than others, so the type of user 
that is anticipated is an important factor in the selection 
and deployment of a biometric. 



[0041] In terms of channel, some biometrics are more 
appropriate than others, depending on the channel of 
use. For example, for long distance or cell phone ac- 
cess, speaker verification is more natural and efficient 

5 than, for example, fingerprinting. Secure area access 
method choice depends on the environment, but signa- 
ture verification may be more difficult than a camera 
based method, given the fact that the user may be car- 
rying packages or the like and standing, or the user may 

10 be in a wheelchair. However, for a point of sale terminal, 
if a signature is required in a credit card transaction an- 
yway, and if the merchant is moving to a paper-less busi- 
ness and the terminal has a pressure sensitive tablet for 
signature capture, then signature verification may be the 

15 most appropriate biometric method. 

[0042] Other channels include, for example, the per- 
sonal computer (PC) at home. Since many people only 
have one phone line into their home, deploying voice 
authentication may be cumbersome. However, a less 

20 cumbersome method may be a camera based method, 
since people may have cameras for other purposes, 
such as videoteleconferencing. Other channels include, 
for example, laptop, personal digital assistant (PDA), 
public internet terminals, automated teller machines 

25 (ATM's), vehicles, and the like. 

[0043] In terms of cost, there are a number of deter- 
minants of cost of a biometric, including the cost of en- 
rollment, such as workstations, user time and monitor- 
ing, if supervised. Other cost factors include, for exam- 

30 pie, the cost of an access trial, such as user time, hard- 
ware and software and operations costs amortized over 
the number of verifications in the expected duration of 
the system, and the cost of storing the templates, such 
as the size of the template divided by cost of storage. 

35 To illustrate an example of the range of costs, a speaker 
verification system can be deployed for a telephone net- 
work that costs approximately $5,000 per channel for a 
processor capable of performing up to 5 verifications a 
minute. If the system performs 300 verifications an hour, 

40 24 hours a day, 7 days a week, 360 days a year, after 3 
years when the system is presumed obsolete, the cost 
per verification is about 6 cents per hundred verifica- 
tions. 

[0044] On the other hand, to illustrate another exam- 
45 pie of the range of costs, an iris scanner at a secure 
room portal might also cost about $5,000, but traffic 
through the portal might only be 30 verifications an hour 
or less, so the cost per verification for the iris scanner 
is proportionally greater than for speaker verification. As 
50 for template size, a hand geometry unit requires only 9 
bytes of storage per template, whereas some fingerprint 
units and voice units require upwards of a kilobyte per 
template. Since memory costs on smart cards are not 
inexpensive, and the amount of time it takes to transfer 
55 the data off the card, in the case of matching template 
to signal off the card, is proportional to the size of the 
template, template size is an important consideration. 
[0045] In an embodiment of the present invention, a 



6 



11 



EP0 956 818 A1 



12 



smart card parameter protocol mandates that certain in- 
formation fields 56 are stored on the card 62, in addition 
to the biometric sample 64 itself. These information 
fields 56 include system identification and personal da- 
ta, as well as a hashed data field, which is decoded by 
the system during the authentication process to certify 
the integrity of the information parameters. Fig. 6 is a 
table which illustrates examples of the type of data 
stored on the smart card 62 for an embodiment of the 
present invention. 

[0046] Referring to Fig. 6, the content of the first six 
fields includes, for example, method 70, vendor 72, re- 
lease 74, template 64, last updated 78, and first enrolled 
80. The method field 70 relates to the biometric technol- 
ogy employed, such as fingerprint. The vendor field 72 
identifies the particular vendor, such as SONY. The re- 
lease field 74 specifies a release number, such as 1 .0. 
The template field 64 is the particular template, and the 
last updated and first enrolled fields 78, 80 indicate 
dates. Referring further to Fig. 6 ; the hash value 82 is a 
value which is arrived at by hashing everything in the 
record. This can be transmitted elsewhere to authenti- 
cate the validity of the template 64. 
[0047] Another aspect of an embodiment of the 
present invention is that the card 62 also includes a 
probability look-up table 66 which quantifies the reader 
device performance histogram distribution into discrete 
levels of match score, such as 200, 300, 400, and so 
on, and assigns a corresponding probability factor to 
each level. Fig. 7 is a table which shows a sample prob- 
ability look-up table 66 for an embodiment of the present 
invention. Referring to Fig. 7, the probability look-up ta- 
ble 66 includes an array of threshold values that are in- 
terpreted by the application 58. For example : for a False 
Accept Rate or FAR of less than 1 in 100, the match 
value between the template 64 and the presented signal 
must be greater than 200. Alternatively, for a False Re- 
ject Rate or FRRof less than 1 in one million, athreshold 
value of 400 is used. This is done for both FA 38 and 
FR40. 

[0048] In an embodiment of the present invention, the 
system reader 68 is programmed with a desired P(FA) 
48 or P(FR) 44 rather than with a fixed threshold value. 
The system reader 68 is also programmed with an in- 
struction routine that tells the system signal processor 
to look to the probability look-up table 66 on the card 62 
to determine the desired probability factor's correspond- 
ing FA 38 or FR 40 threshold match score to be used 
for authentication. This aspect reduces the cost of new 
system releases, since the application software may re- 
main the same and only the cards have to be re-pro- 
grammed, instead of both the system and the cards as 
in the prior art. In addition, the cards may be pro- 
grammed for personalized authentication, for example, 
at either a higher or lower security level, on an individual 
basis, instead of one value fits all. 
[0049] In an embodiment of the present invention, the 
user 54 is authenticated through match scoring of a 



sample biometric obtained from the user by the biomet- 
ric reader device 68. Fig. 8 is a flow chart which provides 
further detail regarding the process of authenticating a 
user through match scoring of a sample biometric ob- 

s tained from the user by a biometric reader device for an 
embodiment of the present invention. At S1 , a biometric 
template 64 for the user 54 is stored in an application 
58 on a microprocessor 60 of the smart card 62, along 
with information fields 56, including system identification 

10 and personal data for the user. At S2, a look-up table 66 
based on a tabulation of performance histogram distri- 
bution of biometric reader device match scores for false 
acceptance or FA 38 and false rejection or FR 40 into 
value ranges, with each value range identified by a 

15 range limit value and each range limit value assigned a 
corresponding probability of occurrence value P(FA) 48 
and P(FR) 44, is also stored on the smart card applica- 
tion 58. 

[0050] Referring further to Fig. 8, at S3, the user 54 
20 presents the smart card 58, along with a new biometric 
sample for the user, to the biometric reader device 68 
pre-programmed with a desired probability of occur- 
rence value and with an instruction set that commands 
the reader device to look to the look-up table 66 on the 
25 card 58 for the range limit value associated with the de- 
sired probability to be used for authentication of the user. 
At S4, the reader device 58 compares the new biometric 
sample for the user 54 with the user's biometric template 
64 stored on the smart card 62 ; identifies the range limit 
30 value associated with the desired probability of occur- 
rence value, and authenticates the user on the basis of 
the identified range limit value. 

[0051] It is clear that there is no 'one biometric fits all' 
for every application, nor is there one operating thresh- 
es old that is appropriate for all applications. An embodi- 
ment of the present invention provides a flexible archi- 
tecture format for storing biometrics on smart cards that 
is independent of application or biometric methodology 
or vendor. In an embodiment of the present invention, 
40 threshold values are no longer 'hardwired' in a specific 
application to a specific method, vendor and specific re- 
lease. The same architecture applies no matter what the 
risk, vendor, biometric method or release. Thresholds 
and methods are determined, and probability density 
45 functions of various vendors, methods and releases are 
derived in order to fill in the threshold values. Thus, an 
embodiment of the present invention supports different 
methods, vendors and releases, and allows for flexibility 
in application deployment. 
50 [0052] Various preferred embodiments of the present 
invention have been described in fulfillment of the vari- 
ous objects of the invention. It should be recognized that 
these embodiments are merely illustrative of the princi- 
ples of the present invention. Numerous modifications 
55 and adaptations thereof will be readily apparent to those 
skilled in the art without departing from the spirit and 
scope of the present invention. Accordingly, the inven- 
tion is limited only by the following claims. 
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Claims 

1. A method of authenticating a smart card user at a 
reader device, comprising: 

storing information fields for the user on the 
smart card relating to biometric information for 
the user and a table of pre-defined probability 
of occurrence values for user authentication; 
presenting the smart card and a biometric sam- 
ple for the user to the reader device; and 
automatically authenticating the user based at 
least in part on a match level between the 
stored biometric information and the presented 
biometric sample according to a desired prob- 
ability of occurrence value from the stored ta- 
ble 

2. The method of claim 1 , wherein storing the informa- 
tion fields relating to the biometric information for 
the user further comprises storing a biometric tem- 
plate for the user. 

3. The method of claim 2, wherein storing the biomet- 
ric template further comprises storing at least one 
model of biometric patterns for the user selected 
from a group of biometric patterns consisting of 
voice print, photograph, signature, fingerprint; hand 
geometry, retinal image, and iris scan. 

4. The method of claim 1 , wherein storing the informa- 
tion fields relating to the table of pre-defined prob- 
ability of occurrence values for user authentication 
further comprises automatically assigning a proba- 
bility of occurrence value to each of a plurality of 
pre-defined range limit values. 

5. The method of claim 4, wherein automatically as- 
signing the probability of occurrence values further 
comprises automatically identifying the range limit 
values for each of a plurality of value ranges of bi- 
ometric reader device match scores. 

6. The method of claim 5, wherein automatically iden- 
tifying the range limit values further comprises au- 
tomatically tabulating a performance histogram dis- 
tribution of biometric reader device match scores for 
false acceptance of an impostor and false rejection 
of a valid user into the plurality of value ranges. 

7. The method of claim 6, wherein automatically tab- 
ulating the performance histogram distribution fur- 
ther comprises automatically quantifying the per- 
formance histogram distribution into discrete levels 
of the biometric reader device match scores. 

8. The method of claim 7, wherein automatically tab- 
ulating the performance histogram distribution fur- 



ther comprises automatically assigning the proba- 
bility of occurrence value for each of the discrete 
levels of the biometric reader device match scores. 

s 9. The method of claim 1 , wherein storing the informa- 
tion fields further comprises storing personal data 
for the user on the smart card. 

10. The method of claim 1 , wherein storing information 
10 fields further comprises storing information related 

to identification of a biometric system on the smart 
card. 

11. The method of claim 1 , wherein storing the informa- 
15 tion fields further comprises storing a hashed data 

field on the smart card. 

12. The method of claim 1 , wherein storing the informa- 
tion fields further comprises storing the information 

20 fields in an application on the smart card. 

13. The method of claim 12, wherein storing the infor- 
mation fields in the application further comprises 
storing the information fields in an application on a 

25 microprocessor of the smart card. 

14. The method of claim 1, wherein presenting the 
smart card further comprises presenting the smart 
cardtothe reader device associated with a terminal. 

30 

15. The method of claim 14, wherein the terminal fur- 
ther comprises at least one of an area access ter- 
minal, a computer network terminal, a computer ac- 
cess terminal, a stored value terminal, a monetary 

35 access terminal, a PBX terminal, a long distance 
terminal, a personal computer, a laptop computer, 
a personal digital assistant, a public internet termi- 
nal, and an automated teller machine. 

40 16. The method of claim 1 , wherein presenting the bio- 
metric sample further comprises presenting the bi- 
ometric sample to the reader device associated with 
a terminal. 

45 17. The method of claim 16, wherein the terminal fur- 
ther comprises at least one of an area access ter- 
minal, a computer networkterminal, a computer ac- 
cess terminal, a stored value terminal, a monetary 
access terminal, a PBX terminal, a long distance 
50 terminal, a personal computer, a laptop computer, 
a personal digital assistant, a public internet termi- 
nal, and an automated teller machine. 

18. The method of claim 1 , wherein presenting the bio- 
55 metric sample further comprises presenting at least 
one biometric sample selected from a group of bio- 
metric samples consisting of voice print, photo- 
graph, signature, fingerprint, hand geometry, retinal 
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image, and iris scan. 

19. The method of claim 1, wherein automatically au- 
thenticating further comprises pre-selecting the de- 
sired probability of occurrence value. 

20. The method of claim 19, wherein pre-selecting the 
desired probability of occurrence value further com- 
prises pre-defining a desired probability of occur- 
rence value for false acceptance of an impostor and 
false rejection of a valid user. 

21. The method of claim 20, wherein pre-defining the 
desired probability of occurrence value further com- 
prises pre-defining an instruction set directing the 
reader device to look to the stored table of proba- 
bility of occurrence values for a false acceptance of 
an impostor and false rejection of a valid user 
threshold match score corresponding to the desired 
probability of occurrence value. 

22. The method of claim 21 , wherein automatically au- 
thenticating further comprises automatically select- 
ing the false acceptance of an impostor and false 
rejection of a valid user threshold match score, such 
that for a desired false acceptance rate, a match 
value between the stored biometric information and 
the biometric sample is at least a pre-determined 
level, and for a desired false rejection rate, the 
match value is less than a pre-determined level. 

23. The method of claim 1, wherein automatically au- 
thenticating further comprise automatically authen- 
ticating the user by an application associated with 
the reader device. 

24. The method of claim 23, wherein automatically au- 
thenticating further comprises automatically au- 
thenticating the user by an application residing at 
least in part on the reader device. 

25. The method of claim 23, wherein automatically au- 
thenticating further comprising automatically au- 
thenticating the user by an application residing at 
least in part on a terminal associated with the reader 
device. 

26. The method of claim 1 , wherein automatically au- 
thenticating further comprises automatically au- 
thenticating the user by an application associated 
with the smart card. 

27. The method of claim 26, wherein automatically au- 
thenticating further comprises automatically au- 
thenticating the user by an application residing at 
least in part on the smart card. 

28. A system for authenticating a smart card user at a 



reader device, comprising: 

means for storing information fields for the user 
on the smart card relating to biometric informa- 
s tionforthe user and a table of pre-defined prob- 

ability of occurrence values for user authenti- 
cation; 

means for presenting the smart card and a bi- 
ometric sample for the user to the reader de- 

10 vice; 

means associated for automatically authenti- 
cating the user by the reader device based at 
least in part on a match level between the 
stored biometric information and the presented 

15 biometric sample according to a desired prob- 

ability of occurrence value from the stored ta- 
ble. 

29. The system of claim 28, wherein the means for stor- 
20 ing the information fields further comprises an ap- 
plication on the smart card. 

30. The system of claim 29, wherein the application on 
the smart card further comprises an application on 

25 a microprocessor of the smart card. 

31. The system of claim 30, wherein the means for pre- 
senting the smart card and the biometric sample fur- 
ther comprises a reader device associated with a 

30 terminal. 

32. The system of claim 31 , wherein the means for pre- 
senting the smart card and the biometric sample fur- 
ther comprises an application associated with the 

35 reader device. 

33. The system of claim 32, wherein the terminal further 
comprises at least one of an area access terminal, 
a computer network terminal, a computer access 

40 terminal, a stored value terminal, a monetary ac- 
cess terminal, a PBX terminal, a long distance ter- 
minal, a personal computer, a laptop computer, a 
personal digital assistant, a public internet terminal, 
and an automated teller machine. 

45 

34. The system of claim 28, wherein the means for au- 
tomatically authenticating the user further compris- 
es an application associated with the reader device. 

50 35. The system of claim 34, wherein the reader device 
is associated with a terminal. 

36. The system of claim 35, wherein the terminal further 
comprises at least one of an area access terminal, 
55 a computer network terminal, a computer access 
terminal, a stored value terminal, a monetary ac- 
cess terminal, a computer access terminal, a stored 
value terminal, a monetary access terminal, a PBX 
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terminal, a long distance terminal, a personal com- 
puter, a laptop computer, a personal digital assist- 
ant, a public internet terminal and an automated tell- 
er machine. 

5 

37. The system of claim 28, wherein the means for au- 
tomatically authenticating further comprises an ap- 
plication associated with the smart card. 
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